8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
73.3%
An issue was discovered in OpenJPEG 2.3.0. Missing checks for
header_info.height and header_info.width in the function pnmtoimage in
bin/jpwl/convert.c can lead to a heap-based buffer overflow.
Author | Note |
---|---|
mdeslaur | Ubuntu packages are built with -DBUILD_JPWL:BOOL=OFF, so the vulnerable code isn’t compiled |
ccdm94 | the openjpeg package does not include the file patched by commit 619e1b086ea. Before the refactoring, there was a single convert.c file, which according to the code, seems to be affected by this vulnerability, however, it seems like the vulnerability in this case is related to CVE-2016-9118 instead, which has a very similar patch. |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
73.3%